thr3ads.net - netfilter buglog - [Bug 627] New: NATed TCP-connections fail arbitrarily [Dec 2009]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.netfilter.org

2009-Dec-30 02:16 UTC

[Bug 627] New: NATed TCP-connections fail arbitrarily

http://bugzilla.netfilter.org/show_bug.cgi?id=627

           Summary: NATed TCP-connections fail arbitrarily
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: blocker
          Priority: P1
         Component: ip_conntrack
        AssignedTo: laforge at netfilter.org
        ReportedBy: xuan--2009--bugzilla.netfilter.org at baldauf.org


It looks like incoming TCP packets are not always matched against a conntrack
rule. The result is that the NATing linux box sends TCP-reset packets upon
receiving an incoming TCP packet which should be NATed, which in turn kills the
connection.

Consider following setup:

client has IP address 192.168.0.7/24
router1 has IP address 192.168.0.2/24 dev eth0 (connected to client)
router1 has IP address 192.168.2.103/24 dev wlan0 (connected to router2)
router2 has IP address 192.168.2.1/24 (connected to router1)
router2 is connected to the public internet

Both routers do NAT. The linux box with the bug is router1. NAT on router1 is
activated by "iptables -t nat -I POSTROUTING --source 192.168.0.0/24
--out-interface wlan0 -j MASQUERADE".




When I do this on the client:


# LANG=en_US.utf-8 wget
"http://de.download.nvidia.com/XFree86/Linux-x86/190.53/NVIDIA-Linux-x86-190.53-pkg1.run"
--2009-12-30 02:51:19-- 
http://de.download.nvidia.com/XFree86/Linux-x86/190.53/NVIDIA-Linux-x86-190.53-pkg1.run
Resolving de.download.nvidia.com... 62.156.238.26, 62.156.238.8
Connecting to de.download.nvidia.com|62.156.238.26|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24034182 (23M) [text/plain]
Saving to: `NVIDIA-Linux-x86-190.53-pkg1.run'

 0% [>
                                                                               
                                                                           ]
173,214      430K/s   in 0.4s

2009-12-30 02:51:19 (430 KB/s) - Read error at byte 173214/24034182 (Connection
reset by peer). Retrying.




then following happens on the outer interface of router1:

(The tcpdump logs have been abridged because bugzilla says "Comments cannot
be
longer than 65,535 characters. " when submitting.)


# tcpdump -S -s 2500 -n -i wlan0 port 80

02:51:19.081090 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [S], seq
3972011273, win 5840, options [mss 1460,nop,nop,TS val 4969629 ecr 0,nop,wscale
6], length 0
02:51:19.097453 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [S.], seq
1965432836, ack 3972011274, win 5792, options [mss 1452,nop,nop,TS val
2914002010 ecr 4969629,nop,wscale 1], length 0
02:51:19.097597 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965432837, win 92, options [nop,nop,TS val 4969645 ecr 2914002010], length 0   
02:51:19.118084 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [P.], ack
1965432837, win 92, options [nop,nop,TS val 4969665 ecr 2914002010], length 167 
02:51:19.136573 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002049 ecr 4969665], length 0 
02:51:19.146218 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002058 ecr 4969665], length
1440                                    
02:51:19.146615 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965434277, win 137, options [nop,nop,TS val 4969694 ecr 2914002058], length 0  
02:51:19.146955 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002058 ecr 4969665], length
1440                                    
02:51:19.147329 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965435717, win 182, options [nop,nop,TS val 4969695 ecr 2914002058], length 0  
[...]
02:51:19.426175 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969974 ecr 2914002277], length 0 
02:51:19.426169 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002329 ecr 4969920], length
1440                                    
02:51:19.426557 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969974 ecr 2914002277], length 0 
02:51:19.432676 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [P.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002329 ecr 4969920], length
1440                                   
02:51:19.433040 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002332 ecr 4969922], length
1440                                    
02:51:19.433092 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969981 ecr 2914002277], length 0 
02:51:19.433455 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969981 ecr 2914002277], length 0 
02:51:19.434297 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002332 ecr 4969922], length
1440                                    
02:51:19.434691 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969983 ecr 2914002277], length 0 
02:51:19.435551 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002332 ecr 4969922], length
1440                                    
02:51:19.435916 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002334 ecr 4969922], length
1440                                    
02:51:19.435959 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969984 ecr 2914002277], length 0 
02:51:19.436328 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969984 ecr 2914002277], length 0 
02:51:19.436417 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002336 ecr 4969922], length
1440                                    
02:51:19.436789 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002341 ecr 4969923], length
1440                                    
02:51:19.436803 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969985 ecr 2914002277], length 0 
02:51:19.437181 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4969985 ecr 2914002341], length 0 
02:51:19.437289 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002342 ecr 4969924], length
1440                                    
02:51:19.437686 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4969986 ecr 2914002341], length 0 
02:51:19.445549 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002356 ecr 4969925], length
1440                                    
02:51:19.445959 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4969994 ecr 2914002341], length 0 
02:51:19.447413 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002358 ecr 4969926], length
1440                                    
02:51:19.447807 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4969996 ecr 2914002341], length 0 
02:51:19.461672 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002367 ecr 4969928], length
1440                                    
02:51:19.462062 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970010 ecr 2914002341], length 0 
02:51:19.462161 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002368 ecr 4969929], length
1440                                    
02:51:19.462545 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970010 ecr 2914002341], length 0 
02:51:19.462539 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002372 ecr 4969930], length
1440                                    
02:51:19.462932 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970011 ecr 2914002341], length 0 
02:51:19.464412 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002374 ecr 4969932], length
1440                                    
02:51:19.464826 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970013 ecr 2914002341], length 0 
02:51:19.467412 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002377 ecr 4969932], length
1440                                    
02:51:19.467833 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970016 ecr 2914002341], length 0 
02:51:19.468036 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002378 ecr 4969934], length
1440                                    
02:51:19.468441 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970016 ecr 2914002341], length 0 
02:51:19.472176 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002382 ecr 4969935], length
1440                                    
02:51:19.472605 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970020 ecr 2914002341], length 0 
02:51:19.474175 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002383 ecr 4969935], length
1440                                    
02:51:19.474602 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970022 ecr 2914002341], length 0 
02:51:19.475420 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002386 ecr 4969936], length
1440                                    
02:51:19.475818 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970024 ecr 2914002341], length 0 
02:51:19.477161 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002387 ecr 4969953], length
1440                                    
02:51:19.477568 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970025 ecr 2914002341], length 0 
02:51:19.484544 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002392 ecr 4969955], length
1440                                    
02:51:19.484981 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970033 ecr 2914002341], length 0 
02:51:19.489293 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002396 ecr 4969956], length
1440
02:51:19.489316 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.489657 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002401 ecr 4969959], length
1440
02:51:19.489664 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.493034 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002404 ecr 4969959], length
1440
02:51:19.493046 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.496417 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002407 ecr 4969960], length
1440
02:51:19.496430 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.503291 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002408 ecr 4969960], length
1440
02:51:19.503304 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.503780 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002410 ecr 4969965], length
1440
02:51:19.503786 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.504155 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002413 ecr 4969967], length
1440
02:51:19.504161 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.506171 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002416 ecr 4969968], length
1440
02:51:19.506184 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.508041 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002418 ecr 4969968], length
1440
02:51:19.508053 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.509906 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002421 ecr 4969969], length
1440
02:51:19.509919 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.512166 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002423 ecr 4969970], length
1440
02:51:19.512179 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.515404 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002426 ecr 4969970], length
1440
02:51:19.515416 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.519040 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002430 ecr 4969971], length
1440
02:51:19.519053 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.523914 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002435 ecr 4969972], length
1440
02:51:19.523926 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.526788 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002436 ecr 4969973], length
1440
02:51:19.526801 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.530163 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002440 ecr 4969974], length
1440
02:51:19.530176 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.531903 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002442 ecr 4969974], length
1440
02:51:19.531916 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.535281 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002444 ecr 4969981], length
1440
02:51:19.535293 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.535651 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002445 ecr 4969981], length
1440
02:51:19.535658 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.537787 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002449 ecr 4969984], length
1440
02:51:19.537806 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.539652 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002451 ecr 4969984], length
1440
02:51:19.539664 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.541401 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002452 ecr 4969985], length
1440
02:51:19.541808 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965606320, win 1576, options [nop,nop,TS val 4970090 ecr 2914002452], length 0
02:51:19.547786 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002455 ecr 4969985], length
1440
02:51:19.547798 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.549036 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002456 ecr 4969986], length
1440
02:51:19.549049 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.549399 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002460 ecr 4969996], length
1440
02:51:19.549405 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.552910 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002464 ecr 4970010], length
1440
02:51:19.552922 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.558909 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002468 ecr 4970011], length
1440
02:51:19.558922 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.562159 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002470 ecr 4970013], length
1440
02:51:19.562172 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.562522 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002472 ecr 4970016], length
1440
02:51:19.562528 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.570532 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002478 ecr 4970020], length
1440
02:51:19.570545 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.570896 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002481 ecr 4970024], length
1440
02:51:19.570902 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.574147 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002482 ecr 4970025], length
1440
02:51:19.574159 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.606120 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [R], seq
1965606320, win 0, length 0





and following happens on the inner interface of router1:



# tcpdump -S -s 2500 -n -i eth0 port 80
02:51:19.081076 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [S], seq
3972011273, win 5840, options [mss 1460,nop,nop,TS val 4969629 ecr 0,nop,wscale
6], length 0
02:51:19.097464 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [S.], seq
1965432836, ack 3972011274, win 5792, options [mss 1452,nop,nop,TS val
2914002010 ecr 4969629,nop,wscale 1], length 0
02:51:19.097591 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965432837, win 92, options [nop,nop,TS val 4969645 ecr 2914002010], length 0   
02:51:19.118071 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [P.], ack
1965432837, win 92, options [nop,nop,TS val 4969665 ecr 2914002010], length 167 
02:51:19.136584 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002049 ecr 4969665], length 0 
02:51:19.146229 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002058 ecr 4969665], length
1440                                    
02:51:19.146609 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965434277, win 137, options [nop,nop,TS val 4969694 ecr 2914002058], length 0  
02:51:19.146961 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002058 ecr 4969665], length
1440                                    
02:51:19.147324 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965435717, win 182, options [nop,nop,TS val 4969695 ecr 2914002058], length 0  
02:51:19.149601 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002058 ecr 4969665], length
1440                                    
02:51:19.149987 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965437157, win 227, options [nop,nop,TS val 4969698 ecr 2914002058], length 0  
02:51:19.150085 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002058 ecr 4969665], length
1440                                    
02:51:19.150469 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965438597, win 273, options [nop,nop,TS val 4969698 ecr 2914002058], length 0  
02:51:19.164978 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002075 ecr 4969694], length
1440                                    
02:51:19.165374 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965440037, win 318, options [nop,nop,TS val 4969713 ecr 2914002075], length 0  
02:51:19.165457 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002075 ecr 4969694], length
1440                                    
02:51:19.165836 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965441477, win 363, options [nop,nop,TS val 4969713 ecr 2914002075], length 0  
02:51:19.167338 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002078 ecr 4969695], length
1440                                    
02:51:19.167716 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965442917, win 408, options [nop,nop,TS val 4969715 ecr 2914002078], length 0  
02:51:19.170723 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002078 ecr 4969695], length
1440                                    
02:51:19.171100 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965444357, win 454, options [nop,nop,TS val 4969719 ecr 2914002078], length 0  
02:51:19.171977 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002080 ecr 4969698], length
1440                                    
02:51:19.172332 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002080 ecr 4969698], length
1440                                    
02:51:19.172349 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965445797, win 499, options [nop,nop,TS val 4969720 ecr 2914002080], length 0  
02:51:19.172697 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965447237, win 544, options [nop,nop,TS val 4969720 ecr 2914002080], length 0  
02:51:19.172839 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002081 ecr 4969698], length
1440                                    
02:51:19.173206 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002081 ecr 4969698], length
1440                                    
02:51:19.173221 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965448677, win 589, options [nop,nop,TS val 4969721 ecr 2914002081], length 0  
02:51:19.173572 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965450117, win 635, options [nop,nop,TS val 4969721 ecr 2914002081], length 0  
02:51:19.183222 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002094 ecr 4969713], length
1440                                    
02:51:19.183611 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965451557, win 680, options [nop,nop,TS val 4969731 ecr 2914002094], length 0  
02:51:19.184342 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002094 ecr 4969713], length
1440                                    
02:51:19.184718 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965452997, win 725, options [nop,nop,TS val 4969732 ecr 2914002094], length 0  
02:51:19.186222 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002096 ecr 4969713], length
1440                                    
02:51:19.186593 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965454437, win 742, options [nop,nop,TS val 4969734 ecr 2914002096], length 0  
02:51:19.187204 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002096 ecr 4969713], length
1440                                    
02:51:19.187576 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965455877, win 720, options [nop,nop,TS val 4969735 ecr 2914002096], length 0  
02:51:19.189221 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002097 ecr 4969715], length
1440                                    
02:51:19.189594 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965457317, win 698, options [nop,nop,TS val 4969737 ecr 2914002097], length 0  
02:51:19.194220 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002097 ecr 4969715], length
1440                                    
02:51:19.195720 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002101 ecr 4969719], length
1440                                    
02:51:19.196719 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002101 ecr 4969719], length
1440                                    
02:51:19.199220 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002103 ecr 4969720], length
1440                                    
02:51:19.200219 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002103 ecr 4969720], length
1440                                    
02:51:19.201077 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002104 ecr 4969720], length
1440                                    
02:51:19.201670 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965465957, win 770, options [nop,nop,TS val 4969749 ecr 2914002097], length 0  
02:51:19.202844 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002104 ecr 4969720], length
1440                                    
02:51:19.203216 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965467397, win 816, options [nop,nop,TS val 4969751 ecr 2914002104], length 0  
02:51:19.205719 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002106 ecr 4969721], length
1440                                    
02:51:19.206090 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965468837, win 861, options [nop,nop,TS val 4969754 ecr 2914002106], length 0  
02:51:19.206838 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002106 ecr 4969721], length
1440                                    
02:51:19.207207 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965470277, win 906, options [nop,nop,TS val 4969755 ecr 2914002106], length 0  
02:51:19.207701 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002107 ecr 4969721], length
1440                                    
02:51:19.208072 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965471717, win 937, options [nop,nop,TS val 4969756 ecr 2914002107], length 0  
[...]
02:51:19.424937 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969973 ecr 2914002277], length 0
02:51:19.425299 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969973 ecr 2914002277], length 0
02:51:19.425424 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002328 ecr 4969919], length
1440
02:51:19.425796 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002329 ecr 4969920], length
1440
02:51:19.425813 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969974 ecr 2914002277], length 0
02:51:19.426170 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969974 ecr 2914002277], length 0
02:51:19.426180 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002329 ecr 4969920], length
1440
02:51:19.426552 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969974 ecr 2914002277], length 0
02:51:19.432687 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [P.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002329 ecr 4969920], length
1440
02:51:19.433045 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002332 ecr 4969922], length
1440
02:51:19.433087 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969981 ecr 2914002277], length 0
02:51:19.433450 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969981 ecr 2914002277], length 0
02:51:19.434308 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002332 ecr 4969922], length
1440
02:51:19.434686 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969983 ecr 2914002277], length 0
02:51:19.435562 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002332 ecr 4969922], length
1440
02:51:19.435921 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002334 ecr 4969922], length
1440
02:51:19.435954 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969984 ecr 2914002277], length 0
02:51:19.436322 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969984 ecr 2914002277], length 0
02:51:19.436427 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002336 ecr 4969922], length
1440
02:51:19.436794 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002341 ecr 4969923], length
1440
02:51:19.436799 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965603440, win 1620, options [nop,nop,TS val 4969985 ecr 2914002277], length 0
02:51:19.437177 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4969985 ecr 2914002341], length 0
02:51:19.437294 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002342 ecr 4969924], length
1440
02:51:19.437682 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4969986 ecr 2914002341], length 0
02:51:19.445560 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002356 ecr 4969925], length
1440
02:51:19.445954 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4969994 ecr 2914002341], length 0
02:51:19.447424 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002358 ecr 4969926], length
1440
02:51:19.447802 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4969996 ecr 2914002341], length 0
02:51:19.461683 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002367 ecr 4969928], length
1440
02:51:19.462057 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970010 ecr 2914002341], length 0
02:51:19.462166 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002368 ecr 4969929], length
1440
02:51:19.462540 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970010 ecr 2914002341], length 0
02:51:19.462550 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002372 ecr 4969930], length
1440
02:51:19.462928 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970011 ecr 2914002341], length 0
02:51:19.464423 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002374 ecr 4969932], length
1440
02:51:19.464820 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970013 ecr 2914002341], length 0
02:51:19.467422 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002377 ecr 4969932], length
1440
02:51:19.467828 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970016 ecr 2914002341], length 0
02:51:19.468041 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002378 ecr 4969934], length
1440
02:51:19.468437 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970016 ecr 2914002341], length 0
02:51:19.472186 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002382 ecr 4969935], length
1440
02:51:19.472600 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970020 ecr 2914002341], length 0
02:51:19.474186 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002383 ecr 4969935], length
1440
02:51:19.474597 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970022 ecr 2914002341], length 0
02:51:19.475431 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002386 ecr 4969936], length
1440
02:51:19.475813 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970024 ecr 2914002341], length 0
02:51:19.477171 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002387 ecr 4969953], length
1440
02:51:19.477563 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970025 ecr 2914002341], length 0
02:51:19.484555 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002392 ecr 4969955], length
1440
02:51:19.484976 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970033 ecr 2914002341], length 0
02:51:19.541412 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002452 ecr 4969985], length
1440
02:51:19.541796 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965606320, win 1576, options [nop,nop,TS val 4970090 ecr 2914002452], length 0
02:51:19.606136 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [R], seq
1965606320, win 0, length 0



Modules loaded at the time of executing the testcase:

# lsmod | grep "$(echo -ne
"conntrack\nnf\nnat\nmasq\tables")" -i
nf_conntrack_netlink    17228  0
nfnetlink               4740  1 nf_conntrack_netlink
iptable_nat             5324  1
nf_nat                 18336  2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4      14040  3 iptable_nat,nf_nat
nf_conntrack           66292  5
nf_conntrack_netlink,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_defrag_ipv4          1900  1 nf_conntrack_ipv4
ip_tables              11580  3 iptable_mangle,iptable_filter,iptable_nat
x_tables               16528  4 ipt_REJECT,ipt_MASQUERADE,iptable_nat,ip_tables
configfs               24804  2 netconsole



Note that the outer interface (wlan0) is bandwidth-limiting, that is, it may
become saturated due to the limited WLAN bandwidth.




Analysis
=======
The odd parts are here:


02:51:19.484544 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002392 ecr 4969955], length
1440                                    
02:51:19.484981 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965604880, win 1598, options [nop,nop,TS val 4970033 ecr 2914002341], length 0 
02:51:19.489293 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002396 ecr 4969956], length
1440
02:51:19.489316 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0

The first 2 packets are perfectly fine. The 3rd packet is fine, too. But the
4th packet is an answer to the 3rd packet as if the conntrack rule did not
exist. The answer is an ordinary TCP reset packet. That the conntrack rule
apparently did not exist is visible from the TCP sequence number of the reset
packet (4th packet): it is the same as the TCP sequence number from the 3rd
packet, and not the same as all other TCP sequence numbers from other
reply-packets.


Now, it is even odder that the disappearance of the conntrack rule seems tbe be
only temporary, as evidenced by these packets:


02:51:19.539652 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002451 ecr 4969984], length
1440
02:51:19.539664 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0
02:51:19.541401 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002452 ecr 4969985], length
1440
02:51:19.541808 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [.], ack
1965606320, win 1576, options [nop,nop,TS val 4970090 ecr 2914002452], length 0
02:51:19.547786 IP 62.156.238.26.80 > 192.168.2.103.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002455 ecr 4969985], length
1440
02:51:19.547798 IP 192.168.2.103.51602 > 62.156.238.26.80: Flags [R], seq
3972011441, win 0, length 0


Packet #1 is answered by TCP-reset-packet #2.
But packet #3 is answered by a _normal_ TCP ack packet #4.
Then, the subsequence packet #5 is again answered by TCP-reset-packet #6.

This is also visible on the inner interface, packets #3 as well as #4 show up
here again:


02:51:19.541412 IP 62.156.238.26.80 > 192.168.0.7.51602: Flags [.], ack
3972011441, win 3216, options [nop,nop,TS val 2914002452 ecr 4969985], length
1440
02:51:19.541796 IP 192.168.0.7.51602 > 62.156.238.26.80: Flags [.], ack
1965606320, win 1576, options [nop,nop,TS val 4970090 ecr 2914002452], length 0



This means: Apparently, conntrack sometimes finds the connection, and sometimes
does not.

This problem usually happens when selective acknowledgment TCP options kick in.
I've disabled selective acknwoledgments on client, and still the problem
happens. (Apparently it happens on packet loss, even when there is no selective
acknowledgement enabled.)


This problem is verified for vanilla Linux kernels:
2.6.30.3
2.6.31.6
2.6.32.2

I've downgraded to Linux kernel 2.6.30.3 in order to ensure that the problem
is
not triggered by the bug fixed by commit
f9dd09c7f7199685601d75882447a6598be8a3e0 "netfilter: nf_nat: fix NAT issue
in
2.6.30.4+", but the bug seems to exist after
f9dd09c7f7199685601d75882447a6598be8a3e0, before
f9dd09c7f7199685601d75882447a6598be8a3e0 as well as before 2.6.30.4.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

bugzilla-daemon at bugzilla.netfilter.org

2010-Jan-03 01:05 UTC

head link

[Bug 627] NATed TCP-connections fail arbitrarily

http://bugzilla.netfilter.org/show_bug.cgi?id=627





------- Comment #1 from xuan--2009--bugzilla.netfilter.org at baldauf.org 
2010-01-03 02:04 -------
Created an attachment (id=317)
 --> (http://bugzilla.netfilter.org/attachment.cgi?id=317&action=view)
The original unabridged bug report.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

bugzilla-daemon at bugzilla.netfilter.org

2010-Jan-04 04:47 UTC

head link

[Bug 627] NATed TCP-connections fail arbitrarily

http://bugzilla.netfilter.org/show_bug.cgi?id=627





------- Comment #2 from xuan--2009--bugzilla.netfilter.org at baldauf.org 
2010-01-04 05:47 -------
Maybe I should add that the problem happens on SMP (AMD Phenom(tm) II X3 710
Processor), so maybe it is a memory inconsistency problem. This would explain
why, even after the problem has appeared, it is likely that a packet exists
which is correctly translated again.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

bugzilla-daemon at bugzilla.netfilter.org

2010-Jan-05 07:03 UTC

head link

[Bug 627] NATed TCP-connections fail arbitrarily

http://bugzilla.netfilter.org/show_bug.cgi?id=627





------- Comment #3 from kaber at trash.net  2010-01-05 08:03 -------
Does "iptables -I INPUT -m state --state INVALID -j DROP" fix the
problem?


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

bugzilla-daemon at bugzilla.netfilter.org

2010-Jan-05 07:04 UTC

head link

[Bug 627] NATed TCP-connections fail arbitrarily

http://bugzilla.netfilter.org/show_bug.cgi?id=627


kaber at trash.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|laforge at netfilter.org       |kaber at trash.net




-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the assignee for the bug, or are watching the assignee.

Possibly Parallel Threads

Search for more apparently analagous threads

netfilter buglog - Dec 2009 - [Bug 627] New: NATed TCP-connections fail arbitrarily

[Bug 627] New: NATed TCP-connections fail arbitrarily

[Bug 627] NATed TCP-connections fail arbitrarily

[Bug 627] NATed TCP-connections fail arbitrarily

[Bug 627] NATed TCP-connections fail arbitrarily

[Bug 627] NATed TCP-connections fail arbitrarily

Possibly Parallel Threads